Managing Serviceguard 14th Edition, June 2007
Building an HA Cluster Configuration
Preparing Your Systems
Chapter 5208
MONITOR and FULL_ADMIN can only be set in the cluster configuration
file and they apply to the entire cluster. PACKAGE_ADMIN can be set in
the cluster or a package configuration file. If it is set in the cluster
configuration file, PACKAGE_ADMIN applies to all configured packages;
if it is set in a package configuration file, it applies to that package
only. These roles are not exclusive; for example, you can configure
more than one PACKAGE_ADMIN for the same package.
NOTE You do not have to halt the cluster or package to configure or modify
access control policies.
Here is an example of an access control policy:
USER_NAME john
USER_HOST bit
USER_ROLE PACKAGE_ADMIN
If this policy is defined in the cluster configuration file, it grants user
john the PACKAGE_ADMIN role for any package on node bit. User john
also has the MONITOR role for the entire cluster, because PACKAGE_ADMIN
includes MONITOR.
If the policy is defined in the package configuration file for PackageA,
then user john on node bit has the PACKAGE_ADMIN role only for
PackageA.
You will not be allowed to configure roles that conflict; Serviceguard will
fail with an error when applying the configuration. (“Wildcards” are an
exception: it is acceptable for ANY_USER and john to be given different
roles. if you enter conflicting roles.)
For example, consider what would happen if these entries were in the
cluster configuration file:
# Policy 1:
USER_NAME john
USER_HOST bit
USER_ROLE PACKAGE_ADMIN
# Policy 2:
USER_NAME john
USER_HOST bit
USER_ROLE MONITOR
# Policy 3: